Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1e55d391e4ac8d0…

MALICIOUS

PDF

39.7 KB Created: 2020-09-03 13:16:42 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b4abc6bd7af5bb8f6d6a65625f6d3d71 SHA-1: d7e70041f208e8a7e46643132b15f58da2a3e517 SHA-256: e1e55d391e4ac8d0c01d4b3aed106aae60bd6d383869dd48c71e5a549a24c58a
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains multiple embedded links, including one that points to a known malicious redirector. The document body, though heavily garbled, contains text related to a 'Jasper report' issue and a URL that appears to be a lure. The presence of a link farm heuristic further suggests a malicious intent to drive traffic to external sites. The primary malicious link identified is https://ttraff.link/wix?keyword=jasper+report+subreport+does+not+display.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=jasper+report+subreport+does+not+display
    • https://cdn.shopify.com/s/files/1/0432/1342/2753/files/fopuwutikiketekilodinigum.pdf
    • https://cdn.shopify.com/s/files/1/0435/8258/7037/files/biodegradable_polymers_book.pdf
    • https://cdn.shopify.com/s/files/1/0427/9628/6111/files/3172196148.pdf
    • https://cdn.shopify.com/s/files/1/0440/5710/0453/files/bloody_mary_song.pdf
    • https://static.usrfiles.com/ugd/9904c2_d8e5c7d6d2bd425989c24723b4c4e5c5.pdf
    • https://static.usrfiles.com/ugd/5c7528_3587d31028544fc4b6734ecf7a198c1b.pdf
    • https://static.usrfiles.com/ugd/4bb894_b10626fe5c71482d8053875871864af4.pdf
    • https://static.usrfiles.com/ugd/b8c837_ed9871661708467aadf8c849b8467d8d.pdf
    • https://static.usrfiles.com/ugd/b8c837_fbdc8e6b6902448cb83e89134be9ba4f.pdf
    • https://static.usrfiles.com/ugd/f5bc2a_b39b97895c4a4a68bb10d55013f64e39.pdf
    • https://static.usrfiles.com/ugd/607883_42596efc50d74cf8ad8ed6ad0f236e1f.pdf
    • https://cdn.shopify.com/s/files/1/0440/9376/7832/files/bambusa_tulda.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/nanejixiv.pdf
    • https://cdn.shopify.com/s/files/1/0429/0691/0876/files/thaumcraft_research_mastery.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c11.bin
061f74bfdf161a778f073ff7246f22b826f340d762d8f74d620867e20ecf1db3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C11 5184 bytes
font_01_sfnt_off00006dc1.bin
d03eb202d24ae0b2ebe047c386b3b2842ce9b27e61e3a327304480a197deb582		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DC1 11044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.